summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* Update VERSION to 8.8.7v8.8.7Robert Speicher2016-06-301-1/+1
|
* Merge branch '18033-private-repo-mentions' into 'master'Douwe Maan2016-06-304-2/+40
| | | | | | | | | | | Ensure logged-out users can't see private refs https://gitlab.com/gitlab-org/gitlab-ce/issues/18033 I'm still not sure what to do about the CHANGELOG on security issues - should I add to a patch release? This issue was assigned to 8.10. See merge request !1974 (cherry picked from commit 3a6ebb1fd624c216a4ce65380e64072793b7ccda)
* Merge branch '19312-confidential-issue' into 'master'Douwe Maan2016-06-304-7/+27
| | | | | | | | | | | | | Fix privilege escalation issue with OAuth external users Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/19312 This MR fixes a privilege escalation issue, where manually set external users would be reverted back to internal users if they logged in via OAuth and that provider was not in the `external_providers` list. /cc @douwe See merge request !1975 (cherry picked from commit 5e6342b7ac08b4b37b233cad54f4aeaf0144b977)
* Update VERSION to 8.8.6v8.8.6Robert Speicher2016-06-271-1/+1
|
* Merge branch 'fix-18997' into 'master'Robert Speicher2016-06-274-2/+138
| | | | | | | | | Fix visibility of snippets when searching Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18997 See merge request !1972 (cherry picked from commit 8a197c15d453de619fbe8aaebfe9e29b82eb873c)
* Merge branch 'update-omniauth-saml' into 'master'Stan Hu2016-06-273-12/+9
| | | | | | | | | | | Update omniauth-saml to 1.6.0 to address a security vulnerability in ruby-saml Updates `omniauth-saml` to bring in the new `ruby-saml` dependency that addresses [CVE-2016-5697](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5697) Fixes #19206 See merge request !4951 (cherry picked from commit c3a8b252cdf569729e5e1e8e0614b4d2e5226371)
* Update VERSION to 8.8.5v8.8.5Tomasz Maczukin2016-06-151-1/+1
|
* Merge branch '18535-confidential-issue-notes' into 'master'Robert Speicher2016-06-153-1/+18
| | | | | | | | Only show notes through JSON on confidential issues that the user has access to Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/18535 See merge request !1970
* Update CHANGELOG for 8.8.5Tomasz Maczukin2016-06-141-6/+6
|
* Merge branch '17298-wiki-xss' into 'master'Robert Speicher2016-06-142-0/+4
| | | | | | | | | | | | | | | | Forbid scripting for wiki files Wiki files (not pages - files in the repo) are just sent to the browser with whatever content-type the mime_types gem assigns to them based on their extension. As this is from the same domain as the GitLab application, this is an XSS vulnerability. Set a CSP forbidding all sources for scripting, CSS, XHR, etc. on these files. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17298. See merge request !1969
* Merge branch 'fix/unauthorized-access-to-build-data' into 'master'Douwe Maan2016-06-144-34/+139
| | | | | | | | | | Remove 'unscoped' from project builds selection This is a fix for this security bug: https://gitlab.com/gitlab-org/gitlab-ce/issues/18188 /cc @kamil @grzegorz @stanhu See merge request !1968
* Merge branch 'fix/incremental-trace-update-api' into 'master' Rémy Coutable2016-06-142-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix UTF-8 handling in incremental trace update API ## What does this MR do? This MR fixes invalid UTF-8 handling in incremental trace update API (used by GitLab Runner). ## Why was this MR needed? Current version is using `.length` method to determine current trace size where Runner is using the trace size in bytes. Also this byte size is used in headers and file operations to agree the trace part to send. This is a problem when build trace contains any multi-byte UTF-8 characters. This MR is fixing this situation so all parts are using the same size in bytes. ### Runner -> API communication before fix: ``` Checking for builds... received runner=_token_ gitlab-ci-multi-runner 1.3.0~beta.26.gcfd63b9 (cfd63b9) build=25 runner=_token_ Using Docker executor with image debian:jessie ... build=25 runner=_token_ Pulling docker image debian:jessie ... build=25 runner=_token_ 25 Submitting build to coordinator... ok runner=_token_ 25 Appending trace to coordinator... ok RemoteRange=0-158 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=0-158 runner=_token_ 25 Appending trace to coordinator... ok RemoteRange=0-491 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=158-505 runner=_token_ WARNING: 25 Appending trace to coordinator... range missmatch RemoteRange=0-491 RemoteState= ResponseMessage=416 Requested Range Not Satisfiable ResponseStatusCode=416 SentRange=505-584 runner=_token_ WARNING: 25 Resending trace patch due to range missmatch runner=_token_ 25 Appending trace to coordinator... ok RemoteRange=0-556 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=491-584 runner=_token_ WARNING: 25 Appending trace to coordinator... range missmatch RemoteRange=0-556 RemoteState= ResponseMessage=416 Requested Range Not Satisfiable ResponseStatusCode=416 SentRange=584-663 runner=_token_ WARNING: 25 Resending trace patch due to range missmatch runner=_token_ 25 Appending trace to coordinator... ok RemoteRange=0-621 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=556-663 runner=_token_ Build succeeded build=25 runner=_token_ WARNING: 25 Appending trace to coordinator... range missmatch RemoteRange=0-621 RemoteState= ResponseMessage=416 Requested Range Not Satisfiable ResponseStatusCode=416 SentRange=663-797 runner=_token_ WARNING: 25 Resending trace patch due to range missmatch runner=_token_ 25 Appending trace to coordinator... ok RemoteRange=0-741 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=621-797 runner=_token_ 25 Submitting build to coordinator... ok runner=_token_ ``` ### Runner -> API communication after fix: ``` Checking for builds... received runner=_token_ gitlab-ci-multi-runner 1.3.0~beta.26.gcfd63b9 (cfd63b9) build=26 runner=_token_ Using Docker executor with image debian:jessie ... build=26 runner=_token_ Pulling docker image debian:jessie ... build=26 runner=_token_ 26 Submitting build to coordinator... ok runner=_token_ 26 Appending trace to coordinator... ok RemoteRange=0-158 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=0-158 runner=_token_ 26 Appending trace to coordinator... ok RemoteRange=0-505 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=158-505 runner=_token_ 26 Appending trace to coordinator... ok RemoteRange=0-584 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=505-584 runner=_token_ 26 Appending trace to coordinator... ok RemoteRange=0-663 RemoteState=running ResponseMessage=202 Accepted ResponseStatusCode=202 SentRange=584-663 runner=_token_ Build succeeded build=26 runner=_token_ 26 Submitting build to coordinator... ok runner=_token_ ``` See merge request !4541
* Merge branch 'gh-disable-webhooks' into 'master' Douwe Maan2016-06-141-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | Check if GitHub rate limite API was reached before update Webhooks ## What does this MR do? Checks if the job needs to sleep, and wait for the rate limit to be reseted before update each Webhook. ## Are there points in the code the reviewer needs to double check? No. ## Why was this MR needed? The import process can fail if the API rate limit was reached during the import process. ## What are the relevant issue numbers? https://gitlab.com/gitlab-org/gitlab-ce/issues/17498 ## Screenshots (if relevant) Not relevant. See merge request !4509
* Merge branch 'saml-ldap-link-flow' into 'master'Douwe Maan2016-06-144-7/+33
| | | | | | | | | | | | | | Adjust the SAML control flow to allow LDAP identities to be added to an existing SAML user. It correctly lets an existing SAML user to add their LDAP identity automatically at login. A customer had issues with the `auto_link_ldap_user` feature. The flow was not working if there was an account with a SAML identity, but no LDAP identity. GitLab would pick up the correct LDAP person, but due to the order of the flow, that LDAP person was never associated with the user. Fixes #17346 /cc @dblessing @balameb @stanhu See merge request !4498
* Merge branch 'gh-fix-comments-on-diff'Douwe Maan2016-06-143-0/+8
|
* Merge branch 'gh-disable-webhooks'Douwe Maan2016-06-145-5/+116
|
* Merge branch 'todos-filter-project-delete' into 'master'Douwe Maan2016-06-143-3/+29
| | | | | | | | | | | | | | | | | | Ensure we don't show TODOS for projects pending delete Joins the todos on the projects table in order to run the default scope. Also includes a where clause because the default scope is being removed soon. An alternative approach, more like the Issues page, would be to filter down the list by passing user.authorized_projects into the where clause. Or we could just be more defensive in the view when iterating. Todos page throws 500 error for users with todos in a project pending deletion. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17813 cc\ @stanhu See merge request !4300
* Merge branch 'gh-rate-limit'Douwe Maan2016-06-147-36/+99
|
* Update CHANGELOG for 8.8.4Robert Speicher2016-06-091-1/+1
| | | | [ci skip]
* Update VERSION to 8.8.4v8.8.4Robert Speicher2016-06-091-1/+1
|
* Merge branch 'rs-fix-ldap-2fa-login' into 'master'Robert Speicher2016-06-092-1/+5
| | | | | | | | | | | | | | | | | | | Fix 2FA-based login for LDAP users The OTP input form is shared by both LDAP and standard logins, but when coming from an LDAP-based form, the form parameters aren't nested in a Hash based on the `resource_name` value. Now we check for a nested `remember_me` parameter and use that if it exists, or fall back to the non-nested parameters if it doesn't. Somewhat confusingly, the OTP input form _does_ nest parameters under the `resource_name`, regardless of what type of login we're coming from, so that allows everything else to work as normal. Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/18185 See merge request !4493
* Update VERSION to 8.8.3v8.8.3Robert Speicher2016-06-021-1/+1
|
* Update CHANGELOG for 8.8.3Robert Speicher2016-06-021-5/+5
|
* Merge branch 'issue_18102' into 'master'Robert Speicher2016-06-022-2/+1
| | | | | | | | Fixes missing number on generated ordered list Closes #18102 See merge request !4437
* Merge branch 'fix-inline-filter-speed' into 'master'Stan Hu2016-06-022-4/+9
| | | | | | | | | | | | | Fix serious performance bug with rendering Markdown with InlineDiffFilter Nokogiri's `node.replace` was being unnecessarily called for every text node in the document due to a comparison bug. The code previously was comparing the HTML representation of the full document against the text node, which would always fail. Fix the comparison to just compare the modified text. Closes #18011 See merge request !4392
* Merge branch 'data_leak' into 'master'Robert Speicher2016-06-024-4/+40
| | | | | | | | Confidential notes data leak Fixes part of https://gitlab.com/gitlab-org/gitlab-ee/issues/575 See merge request !1967
* Merge branch 'chujinjin/gitlab-ce-fix_wiki_project_clone_address_error' into ↵Rémy Coutable2016-06-022-1/+2
| | | | | | | | | | | | | | | | | | 'master' Fix wiki project clone address error _Note: Originally opened at !4407 by @chujinjin._ --- fix wiki project clone address error in Wiki Git Access View, show as below: ![image](/uploads/5e3bf6d1418c42862a885319c31bc3cf/image.png) Fixes #17643. See merge request !4429
* Merge branch 'downcase-registry-repository' into 'master'Stan Hu2016-06-023-3/+17
| | | | | | | | | | Use downcased path to container repository as this is expected path by Docker Docker Engine requires path to be lowercase. This makes all container registry paths to be show and used downcased instead of mixed case. Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17959 See merge request !4420
* Merge branch 'fix/error-500-in-pipeline-when-fork' into 'master'Rémy Coutable2016-06-023-8/+67
| | | | | | | | | | Use project that belongs to pipeline in view This MR makes project in pipelines view match the one that pipeline has been created for. Closes #17943 See merge request !4376
* Added CHANGELOG entry for !4369Yorick Peterse2016-06-021-0/+1
|
* Merge branch 'rs-remember-me-2fa' into 'master' Douwe Maan2016-06-025-3/+35
| | | | | | | | | | | Pass the "Remember me" value to the 2FA token form Prior, if a user had 2FA enabled and checked the "Remember me" field, the setting was ignored because the OTP input was on a new form and the value was never passed. Closes #18000 See merge request !4369
* Merge branch 'container-registry-token-ttl' into 'master'Douwe Maan2016-06-0211-26/+80
| | | | | | | | | | | | | | | Add Application Setting to configure Container Registry token expire delay (default 5min) This adds an option to configure Container Registry token expire delay. The default is set to 5mins (something that is also used by Docker Hub). What is left: * [x] Write test to check the expire_delay Fixes: https://gitlab.com/gitlab-org/gitlab-ce/issues/17890 @stanhu I think that this should land in patch release of 8.8. See merge request !4364
* Fixed CHANGELOG entry for !4363Yorick Peterse2016-06-021-17/+1
|
* Merge branch ↵Stan Hu2016-06-024-33/+36
| | | | | | | | | | | | 'make-container-registry-authentication-service-compatible-with-older-docker' into 'master' Make authentication service for Container Registry to be compatible with < Docker 1.11 This removes the usage of `offline_token` which is only present when using `Docker 1.11.x` instead we relay on `scope`. This should make it compatible with any client starting from 1.6 (I did test only 1.8 and up). Right now we return 403 if unauthorized user doesn't have access to anything. In all other cases we return token, but with empty `access`, which simply disallow requested action. See merge request !4363
* Fixed CHANGELOG entry for !4332Yorick Peterse2016-06-021-4/+1
|
* Merge branch 'current-settings-use-request-store-during-request'Douwe Maan2016-06-028-22/+34
|
* Fixed CHANGELOG entry for !4321Yorick Peterse2016-06-021-2/+1
|
* Merge branch 'fix/migration-uri-issue' into 'master' Robert Speicher2016-06-022-1/+3
| | | | | | | Fix import URL migration error Fixes https://gitlab.com/gitlab-org/gitlab-ce/issues/17956 See merge request !4321
* Fixed CHANGELOG entry for !4312Yorick Peterse2016-06-021-23/+1
|
* Merge branch 'fix-404-labels-in-todos' into 'master' Douwe Maan2016-06-023-1/+47
| | | | | | | | | | | | | | | | | | | | | Fix 404 page when viewing TODOs that contain milestones or labels in different projects A user viewing the TODOs page will see a 404 if there are mentioned milestones or labels in multiple different projects. This is likely a caching bug and only occurs when Markdown rendering occurs across multiple projects, which is why it's so tricky to reproduce. This is what I think is happening: 1. LabelReferenceFilter#references_in encounters label ~X for ProjectA and finds the label in the DB as id = 1. 2. LabelReferenceFilter.references_in yields [1, 'X', nil, ...] 3. Since project_ref is nil, AbstractReferenceFilter#project_from_ref_cache caches nil => ProjectA. 4. LabelReferenceFilter#references_in encounters label ~Y for ProjectB and finds the label in the DB as id = 2. 5. LabelReferenceFilter.references_in yields [2, 'Y', nil, ...] 6. AbstractReferenceFilter#project_from_ref_cache lookups nil and returns ProjectA. It was supposed to be ProjectB. 7. A is the wrong project, so the label lookup fails. This MR expands the `project_ref` to the right value as soon as we have it to avoid this caching bug. Closes #17898 See merge request !4312
* Merge branch 'fix-shortcuts-spec' into 'master' Jacob Schatz2016-06-021-2/+2
| | | | | | | | | | | Ensure project name is present on page ## What does this MR do? Fixes a failing spec See merge request !4307
* Added CHANGELOG entry for !4303Yorick Peterse2016-06-021-0/+1
|
* Merge branch 'discussion-outdated-form' into 'master' Jacob Schatz2016-06-021-1/+1
| | | | | | | | | | | | | | | Fixed JS error when trying to remove discussion form ## What does this MR do? Fixes a JS error which was caused by an ID of the form not matching what was returned by the JSON. Instead of checking that, it gets the current form from the ajax success event. This would only happen on outdated discussions because the ID of the discussion form ends with `-false` because it isn't active. However, the note is added to an active discussion so the ID returned actually ends in `-true` & therefore the JS couldn't find the correct form. ## What are the relevant issue numbers? Closes #17778 See merge request !4303
* Fixed CHANGELOG for !4301Yorick Peterse2016-06-021-3/+1
|
* Merge branch 'fix/gitlab-importer-issue' into 'master' Robert Speicher2016-06-022-3/+6
| | | | | | | | | Fix gitlab importer issue Fixed credentials not being called correctly - probably some bad refactoring or search & replace... Fixes https://gitlab.com/gitlab-org/gitlab-ee/issues/565 See merge request !4301
* Added CHANGELOG entry for !4287Yorick Peterse2016-06-021-0/+1
|
* Merge branch 'merge-button-color-fix' into 'master' Jacob Schatz2016-06-022-3/+4
| | | | | | | | | | | | | | | | | Fixed issue with button color when no CI enabled ## What does this MR do? Fixes an issue with the color of the merge button when no CI is setup. ## What are the relevant issue numbers? Closes #17844 ## Screenshots ![Screen_Shot_2016-05-25_at_09.58.44](/uploads/87aac74c5e2f8bfd2831e99c5915856d/Screen_Shot_2016-05-25_at_09.58.44.png) See merge request !4287
* Merge branch 'generic-commit-status' into 'master' Jacob Schatz2016-06-021-7/+7
| | | | | | | | | | | Move tags to column in generic_commit_status Part of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/4249 cc @ayufan See merge request !4277
* Moved CHANGELOG entry for !4230Yorick Peterse2016-06-021-1/+1
|
* Merge branch 'improve-pipeline-design' into 'master' Douwe Maan2016-06-0212-56/+45
| | | | | | | | | | | | | | | | Improve design of Pipeline view ## What does this MR do? Improves current design of Pipelines view when there is multiple stages. This makes the statuses clickable and makes the view more compact. ## Screenshots (if relevant) ![Screen_Shot_2016-05-21_at_01.20.40](/uploads/dd031b7af7005c7a61f3165fefa8b7c9/Screen_Shot_2016-05-21_at_01.20.40.png) cc @DouweM @markpundsack @rspeicher @marin See merge request !4230
View Lorry Controller Status